Cloud Security Roles

Print Friendly, PDF & Email

Make sure that all cloud security roles and responsibilities are accounted for.

The focus for this article is cybersecurity for Physical Security as a Service (PSaaS) cloud-based offerings, meaning subscription-based offerings that include system software for managing and utilizing on-premises security system equipment such as card readers, security video surveillance cameras, intrusion detection devices, and so on. The system software is the key element of a PSaaS offering with which the users interact. It is provided as a cloud-based Software as a Service (SaaS) application.

Well-designed and soundly-implemented cloud-based applications can be much more secure than in-house applications, but only if all of the security roles and responsibilities are understood and accounted for. This is why security integrators must understand all of the roles and responsibilities relating to the security of SaaS applications and their data, and to the security of the on-premises equipment as well.

Growing Value of Security System Data

The proven high worth of video analytics for retail organizations is a good example of how security system analytics data is continuing to increase in value as the capabilities of analytics and big data analysis evolved. Such analytics data contain personally identifiable information (PII), as well as other data that requires privacy protections (such as security investigations data). Advances in electronic security systems assure that going forward, the cybersecurity protection of security systems data will continue to increase in importance.

Roles and Responsibilities

There are cybersecurity responsibilities for both the on-premises and cloud-based elements of a PSaaS solution. Who is responsible for the cybersecurity of each part? Table 1 lists the roles and responsibilities for a simple PSaaS solution.

Table 1. PSaaS Offering Cybersecurity Roles and Responsibilities

Role Description Security Responsibilities
Cloud Service Customer Utilizes the PSaaS offering for security operations and investigations, and uses the business-related video analytics data for business planning and decision-making.

Responsible for:

  • Identifying and/or specifying cybersecurity requirements of data that will reside in the cloud. That includes the classification of the data (confidential, private, etc.) as well as any regulatory requirements such as country residency (data must be stored within that country). Classification and residency requirements determine the encryption requirements and backup data location options
  • Approving the cybersecurity profile of the cloud service, including its on-premises equipment
  • Stringent management of user logons credentials to the SaaS application and on-premises security systems equipment, unless integrator provides user logon credential management as a service
  • Regularly reviewing/auditing system and device access records and user access privilege assignments, and for timely performing or initiating termination of access privileges when appropriate
  • Network security for the on-premises equipment, if the on-premises equipment resides or connects to the Internet via on the corporate network
Security Systems Integrator Installs and maintains the PSaaS on-premises equipment.

Responsible for:

  • Verifying the status of cybersecurity controls for the PSaaS offering and any cloud-based integrations involved
  • Accurately informing the customer of the cybersecurity profile of the cloud service
  • Cyber-secure configuration of the on-premises equipment
  • Stringent management of service technician logon credentials for accessing on-premises equipment and the cloud service
PSaaS Vendor Provides the SaaS Application and provides or specifies the on-premises equipment that the Security Systems Integrator resells.

Responsible for:

  • The cybersecurity of the SaaS application and any cloud-based integrations to it
  • Cyber secure configuration capabilities for any on-premises equipment provided or specified
  • System hardening guidance
  • Vulnerability policy and method for integrators and their customers to report cyber vulnerabilities
  • Ensuring that sales and marketing people have accurate information about cloud security measures and can speak or write about them correctly
Cloud Infrastructure Provider Provides the Platform as a Service (PaaS) infrastructure on which a SaaS application runs (such a Microsoft Azure or Amazon AWS).

Responsible for:

  • Computer and network security of the cloud infrastructure provided
  • No responsibility for SaaS application security
  • No responsibility for on-premises equipment

 

Complex Deployments

Cybersecurity responsibilities for more complex PSaaS deployments are simply extended across the vendors and cloud infrastructure providers involved. It is possible, for example, to have two or three PSaaS vendors (for example, one each for access control, video management, video analytics and visitor management). Each PSaaS vendor may have a different cloud infrastructure provider. There may be both cloud-level integrations and on-premises integrations between the various PSaaS offerings. All of the cybersecurity issues must be identified and the responsibilities accounted for to assure that there are no gaps in cybersecurity protection. This should be reflected in the documentation of the various product and service offerings. Assurance of continuous conformance to cybersecurity requirements should be provided by the chain of Service Level Agreements from Cloud Infrastructure Provider to PSaaS Vendor to Security Systems Integrator to Cloud Service Customer.

Clarity is a Requirement

Whether the picture is simple or complex, it is important to assure the cybersecurity of a PSaaS offering by determining, fully agreeing on, documenting, and verifying who is responsible for what, and how those responsibilities will be lived up to.

This article first appeared in Security Dealer and Integrator magazine’s November 2016 issue.

Other Articles in this Series

This is the fifth article in Ray Bernard’s series in Security Dealer and Integrator magazine dealing with cloud-based systems.

Here are links to the other articles:

Avoid Key Cloud Services Mistakes
(SD&I March 2016)
www.SecurityInfoWatch.com/12177153

Cloud Computing: Clarity or Confusion?
(SD&I June 2016)
www.SecurityInfoWatch.com/12211857

Evaluating a Cloud-Based Service
(SD&I July 2016)
www.SecurityInfoWatch.com/12223384

Addressing Cloud Risk
(SD&I September 2016)
http://www.securityinfowatch.com/12243763
This article takes up the issue of how sales people can kill deals by saying the wrong things about cloud security.